@Nav, rm is a "dangerous" UNIX/Linux command (read $ man rm). Use it with extreme caution. With that said, it is a quick way to delete files you are sure of. Modern Linux and Unix Desktop Environments do provide with a solution of "Trash Can", so the user easily can recover accidentally deleted files.
–
Jose Elera CampanaJan 21 '13 at 8:23

-i : Ignore case distinctions in both the PATTERN and the input files i.e. match both uppercase and lowercase character.
-a : Process a binary file as if it were text
-B Print number lines/size of leading context before matching lines.
-A: Print number lines/size of trailing context after matching lines.

To recover text file starting with "nixCraft" word on /dev/sda1 you can try following command:

# grep -i -a -B10 -A100 'nixCraft' /dev/sda1 > file.txt

Next use vi to see file.txt.

This method is ONLY useful if deleted file is text file. If you are using ext2 file system, try out recover command.

"try to find the file within it" I'm confused, how would one reasonably open a 15+ GB file and search or pipe this beast into grep? And what would you do when you found the text? How on earth is this recovery?
–
TheLQJul 9 '10 at 7:30

1

The first thing to do is to try some common tools before burning a lot of cash for an uncertain result. BTW, grep won't really help, photorec or ext3grep will.
–
wazooxJul 9 '10 at 13:46

If it's the standard rm, I hope you have a backup. The procedure to recover a deleted file would be different for each file system, if it can be done at all. Linux doesn't have a built-in "recycle bin"; once you delete a file, it's all but gone.

Any way you do it, you'll want to unplug the computer -- as soon as possible, as continuing to run the computer (even to shut it down) causes writes to the disk and increases the chance that some blocks formerly occupied by the file will be overwritten. Once you've done that, either put it in another computer, reboot off a live CD (making sure not to mount the drive unless you mount it read-only), or remove the hard drive and take it to a data recovery specialist.

The only correct answer is : restore your file from backup. Everybody must have a backup. For really important files, you should have two backups. You don't? Well, too bad, here's a lesson learnt ( Sorry to sound harsh, but I'm in data storage, and people don't back up until they lost some important data, that's a given fact. So yes, you look stupid, but so is nearly everybody else ).

OK, you have no backup. you must stop using the filesystem which contained the file RIGHT NOW. Any write activity may definitely hose the file data that may (only may) remain on disk.

if you made the tragic error to use only one partition as both the root filesystem and /home, that means you must boot from some other device. NOW .

If your file is of some common format ( Word file, JPG, etc), use Photorec. Photorec can retrieve most common file formats.

You can try the "ext3 undelete" method proposed previously, but you need to be comfortable with the command line, understand basic linux inner workings, etc.

If your file is of some special format, tough luck. I once wrote a Perl program to scan a drive for some special files, and it worked pretty well; but you'll need to know some programming to do that, and be quite at ease with linux too.

Set your expectations low. If anything was written over the 'deleted' data, you will lose it.

I have done a small amount of recovery and the best tools I found were often designed towards certain formats. For example 'photorec' was great when I wanted to get tens of thousands of jpegs recovered.

Recuva has also helped me before now and might be your best choice. (Its free, don't get tricked into paying by their ads)

At the end of the day, if what you lost is important, take the drive offline and stop writing to it. Use every piece of recovery software you can find until you get your data back or it stops being worth it. If its really important, send it to professionals at a high price.

If you've had luck with a tool before, try it again seen as you're familiar with it. At the end of the day, they shouldn't be writing to disk and so you can use software until you find one that works.

I did this a couple of years ago. My approach was to directly, no time to lose, unmount partition and then

dd if=/dev/hda1 of=backup_image.ext3

to have a backup file of the exact state of the partition. Then you can mount the partition again and continue with business as usual as you search for the the deleted file in your created image. The image will probably be VERY large since you need all the "empty" space, so it might be a practical problem to store it.

Then it was just to perform boring searches after text snippets I expected to be somewhere in the soup of partition content. E.g. to find .tex-files, I ran

which printed a large context around the phrase "subsection" and saved the output to a file to be manually searched through. I printed such a large context since it took such a long time to search the image that I'd rather not do it more times than I had to.

Also the command strings was helpful in removing binary garbage from the output, but if I recall correctly it also stripped all newlines, which could be a problem.

To find binary files in the same way, one might have success in finding a characteristic header or something of a certain file, but I imagine it to be a rather big adventure.

Brief technical notes: there are technical difficulties with disk recovery and Ext3/4. It is a long thing to explain, but briefly (and inadequately): Ext3/4 removes the "markers" that tell the OS where files are located on disk when you delete them. The files aren't scrubbed, but no one knows where on the disk they start and end anymore, and sometimes they even are fragmented at several places. Some other file systems just set the files' statuses to "deleted", but keep the location data. Then undelete is not harder than to look at file pointers with this flag (they should still be available if not too much activity has occured), and then hope their content has not been overwritten.

What is best? Rhetorical, in my view. Frequent backup is the answer to all these problems. Important data without an automated backup system is an accident waiting to happen, IMHO.

Obligatory personal anecdote: I was going to remove foo\ foo* from ~. I wrote

rm -r foo<Tab>*

, which sadly, since foo apparently was a symlink and the only file matching this, the shell made into

rm -r foo\ foo *

I pressed Enter and sat there looking at the command, which should have taken a second at most. After a bit longer time rm asked me if I wanted "to remove the write-protected file 'something'".Quite quickly I felt the chills and softly and very controlled I pressed Ctrl+c. ~Half of my ~ was deleted, but I managed to get everything of value back through above described grepping and some more or less current backups. I had some personally very valuable (read: time consuming) and very recent measurement data on disk that was lost, but I had made quadruple backups. One disappared here, another due to system outage at school, another was corrupt, and at first I couldn't find the fourth, since I by mistake had put it in the wrong folder :-D . Had not rm -r got stuck on a write-protected file, the fourth would have been eaten since that folder was mounted via sshfs in my ~. I'm a lot more careful about that kind of stuff since.

The "correct" answer is to assume there isn't a method to reliably recover, and instead restore from backups or a cloned system or reinstall.

TestDisk is a great tool, and there are other ways of being able to salvage some data from the physical drive depending on file system and recency of deletion, but the time and pain involved can be just too great, so KEEP BACKUPS (and also test that they are valid and restorable)!

The general idea is to find the link in /proc/PID/fd/DESCRIPTOR_NUMBER and copy it back to its original location. Use ps aux | grep APP_NAME to find the PID and then ls -la /proc/PID/fd/ to find the proper DESCRIPTOR_NUMBER.